The IT industry is concerned about plans to introduce criminal liability for leaks

The introduction of criminal liability for the theft, distribution and use of personal data could threaten the business of companies working with big data. This issue worries IT startups and cybersecurity experts. Adoption of the initiative could lead to a serious slowdown in the development of artificial intelligence (AI), which uses large amounts of data, experts warn.

A bill introducing criminal liability for the illegal collection, use and transfer of personal data, including leaks (introduced to the State Duma on December 4 by a group of senators and deputies led by the head of the State Duma Committee on Information Policy, Communications and IT Alexander Khinshtein), caused concern in IT -industry, market participants and specialized lawyers told Kommersant. If we analyze the current wording of the document, they explain, its effect can extend not only to attackers, but also to the owners and management of IT companies that collect big data from open sources and use it for their own developments.

“The project establishes criminal liability not only for those individuals who illegally leaked data, but also for those who used it,” explains Alexander Orekhovich, director of legal initiatives at the Internet Initiatives Development Fund (IIDF). He emphasized that, for example, to work with artificial intelligence (AI), developers “receive huge flows of information from various sources.” The measure, Mr. Orekhovich believes, “will not stimulate the development of technologies in general, including AI, which is now declared as the primary task of the digital economy.”

Mr. Khinshtein confirmed to Kommersant that during the development of documents, “the topic of neural networks and big data arose more than once.” “Big Data technology is actively developing, but a balance is needed between the interests and protection of citizens’ data in the face of an explosive growth in leaks,” he emphasizes. Huge amounts of information, explains Mr. Khinshtein, even if it has been depersonalized, “often contain sensitive information, and there is no guarantee that they will not be used to enrich illegal databases.”

Now there is a colossal gap between legislative activity and the possibility of its effective enforcement, notes Igor Bederov, head of the Internet Search company. “Since supervisory authorities do not have the ability to stop the operation of hundreds of services and bots that illegally use personal data leaks, they will only apply the new standards to those companies that they can detect,” explains the expert.

The Association of Big Data (BDA; unites MTS, Sber, Yandex, etc.) noted that it is impossible to “allow the introduction of a composition in the Criminal Code in which responsibility can be assigned to ordinary employees of the company who are not guilty of the leak.” The DBA proposes to clarify the composition of Article 271.1 of the Criminal Code of the Russian Federation with the introduction of a condition under which the data was knowingly used and transferred illegally.

According to the CEO of X-Panamas (provides services in the field of cybersecurity) Pavel Sitnikov, startups and other projects that can use data, including data leaked, will “simply be closed” after the adoption of the law.

At the same time, the expert admits, the new norms will make it possible to hold accountable the owners of “breakthrough” services or the owners of shady sites, which it is still impossible to fight otherwise. The legal service DestraLegal believes that the amendments will make it possible to prosecute companies that used databases published online to make “cold” calls offering services.

Tatiana Isakova